Method for remotely controlling and/or regulating a system

ABSTRACT

The invention relates to a method for remotely controlling and/or regulating at least one system ( 1 ), in particular an industrial system using a communications device ( 2 ) which is assigned to the system ( 1 ), and at least one receiver device ( 3 ), information relating to the system being transmitted from the communications device ( 2 ) to the at least one receiver device ( 3 ), the information containing a validation code which is generated by the communications device ( 2 ), a message being received by the communications device ( 2 ), the communications device ( 2 ) extracting a check code and instruction information from the message according to a first extraction rule, the communications device ( 2 ) validating the message by means of the validation code and check code, and the instruction information being implemented by the system ( 1 ) only when the validation is successful.

TECHNICAL FIELD

The invention relates to the field of controlling and/or regulatingremotely located systems. It relates to a method for remotelycontrolling and/or regulating a system, in particular an industrialsystem, in accordance with the preamble of the independent patent claim.

PRIOR ART

Possible ways of remotely monitoring, controlling and/or regulating arean increasingly important factor in the design in all types of systems,in particular in industrial systems and supply systems, for example inthe areas of electricity, water and heat. Such possible ways permitincreases in efficiency and flexibility when operating and maintainingthe systems, in particular with respect to customer service performancesand servicing performances, but also when complex systems are operatednormally, if a frequent intervention of operator personnel forfault-free operation of the systems is required. One aspect of theremote monitoring and control relates here to the transmission ofinformation relating to the system, for example in the form of a warningor of an alarm, and subsequent return transmission of instructioninformation as a reaction of the operator personnel.

EP 617350 discloses methods for remotely controlling heating orair-conditioning systems and for the performance of self-diagnosticswith remote transmission of diagnostic results. During theself-diagnostics, data of the heating or air-conditioning systemrelating to the diagnostics are sensed, processed and encoded by acommunications device and transmitted after a data link has been set upas diagnostic information to an external receiver device, at which theyare received, decoded and ultimately processed, displayed, printed outand/or stored. During the remote control, a data link is firstly set upfrom an external instruction device to the communications device andinstruction information is subsequently encoded in the instructiondevice, transmitted to the communications device, received there anddecoded and ultimately processed and/or executed in the communicationsdevice and/or a controller and/or regulator of the heating orair-conditioning system. Diagnostic information and/or instructioninformation can be transmitted here via a direct line, but it is alsopossible to use existing conventional information transmission systems,for example telecommunications systems of the Deutsche Bundespost suchas telephone, fax, Cityruf or the like for the transmission.

A problem with systems which can be remotely controlled and/or regulatedis the risk of intervention in the system by unauthorized persons. Ifthe communications device has a link to a public network, for example atelecommunications system of the Deutsche Bundespost, a link can be setup to the communications device by unauthorized persons withoutrelatively great difficulties. If a protocol for encoding/decoding theinstruction information is known, unauthorized persons can very easilytransmit instruction information to the communications device. If thisinformation is correspondingly executed by the controller and/orregulator, failures or even damage to the system may occur, and also,depending on the system, the surroundings and the environment may, undercertain circumstances, also be put at risk or damaged. EP 617350therefore proposes to carry out user authentication in thecommunications device before instruction information is actually input.For this purpose, a password or a code number containing theauthorization for access to the communications device and thus to thesystem must be input.

While the risk of access by unauthorized persons can largely beprevented by user authentication, there is nevertheless a certainresidual risk. This is in particular the case if the password or thecode number is, or becomes known, to unauthorized persons.

One particular risk is also constituted by what are referred to ashacker attacks. These are attacks by unauthorized persons who aim toguess the password and/or code number through repeated attempts. Inparticular, systems of this kind whose communications devices have linksto computer networks are particularly at risk here as the hacker attackscan be automated using computer programs and/or scripts so that a verylarge number of attempts at guessing a password and/or code number canbe carried out within a short time.

DESCRIPTION OF THE INVENTION

For this reason, the object of the invention is to specify a method forremotely controlling and regulating systems which effectively minimizesthe risk of manipulation by unauthorized persons and in particularprotects against hacker attacks.

The object of the invention is also to specify a reliable method forremotely controlling and/or regulating a system which does not require auser authentication to take place before actual transmission ofinstruction information, so that said method is simple and efficient.

These objects are achieved by means of a method as claimed in claim 1. Acommunication which comprises information relating to the system and avalidation code is dispatched, preferably to a receiver device which isdetermined in advance, by a communications device assigned to thesystem. As soon as the communications device receives a message at atime after the communication has been dispatched, a check code isextracted from this message according to a predefined rule. The originof the message is checked by means of the validation code and check codetaking into account the predefined rule, i.e. it is checked whether themessage originates from a receiver of the communication. It is thuspossible to use the validation code and check code to verify whether thereceived message constitutes a response to the dispatched communication.

Only in cases in which it has been successively checked that the messageoriginates from a receiver of the communication is instructioninformation both extracted from the received message in addition to thecheck code according to the predefined rule and processed and/orexecuted by the system.

If, on the other hand, it was not possible to use the validation codeand check code to verify that the received message constitutes aresponse to the dispatched communication, either the instructioninformation is not extracted at all from the message or the extractedinstruction information is ignored.

This object and further objects, advantages and features of theinvention become clear from the following detailed description of apreferred exemplary embodiment of the invention in conjunction with thedrawings.

BRIEF EXPLANATION OF THE DRAWING

FIG. 1 is a schematic view of a block circuit diagram of a system whichcan be remotely controlled and/or regulated by means of the methodaccording to the invention.

The reference numerals used in the drawing and their significance aresummarized in the list of reference numerals.

WAYS OF IMPLEMENTING THE INVENTION

FIG. 1 is a schematic view of a block circuit diagram of a system 1which can be remotely controlled and/or regulated in accordance with theinventive method by means of a communications device 2, which has asystem interface 21 and a network interface 22, and a receiver device 3.The network interface 22 has in each case at least one means fortransmitting and receiving communications and/or messages.

Data relating to the system is collected and, if appropriate,conditioned in the communications device 2, a connected data processingsystem and/or a subunit of the system 1. The data may relate directly orindirectly to the system 1. Said data may comprise, on the one hand,operating parameters such as, for example, temperatures, pressures, flowrates of substances, configuration parameters such as switch settings orvalve settings and, on the other hand, also ambient parameters such as,for example, ambient temperatures or the like. Said data may be, as inthe abovementioned examples, individual data items which can beexpressed by a single numerical value, but may advantageously alsocomprise complex data records which are preprocessed by a subunit of thesystem. Finally, the data is combined to form an information item. Here,the information item may be composed of only a single data item, but itcan also be composed of a multiplicity of data items or else be theresult of an analysis of data which has been carried out in thecommunications device 2, the connected data processing system or thesystem 1 itself.

A communication which contains the information is transmitted to areceiver device 3 by the communications device 2 via the networkinterface 21 when certain conditions are fulfilled. A condition for thetransmission of a communication is preferably an error in the system 1which is diagnosed when the data is evaluated. However, it is alsoconceivable that a communication is transmitted independently of a stateof the system 1, for example if a parameter which indirectly relates tothe system 1, such as the ambient temperature, exceeds or drops below acertain limiting value. In the aforesaid situations, the transmission ofthe communication constitutes, as it were, an alarm. The communicationcan, however, also be advantageously transmitted at a fixed time, on afixed day or on previously determined dates.

A validation code is added to the communication by the communicationsdevice 2. For this purpose, the information and validation code arecombined in accordance with a first combination rule. This isadvantageously carried out by appending information and validation code.If the information and validation code are composed of sequences ofcharacters, predefined control or special characters are advantageouslyinterposed as a separator during the appending process.

Preferably, the validation code is valid only once and has a limitedperiod of validity. The validation code is generated in a suitable way,for example by means of a random number generator so that it cannot bepredicted by unauthorized persons. The limited period of validity andthe fact that the validation code is valid only once make the system 1more difficult to manipulate by unauthorized persons in cases in whichthe validation code becomes known.

The method according to the invention is continued as soon as a messageis received by the communications device 2 via the network interface 21.The communications device 2 then extracts a check code from the messageaccording to a first extraction rule. The origin of the received messageis then checked by means of the validation code and the check code. Acheck code which is identical to the validation code is advantageouslyused for this purpose. The checking of the origin is then carried out bycomparing validation code and check code. To do this, when thecommunication is dispatched, a copy of the validation code must bestored so that it is available for the comparison when a message isreceived later. A limited period of validity of the validation code isadvantageously made possible in this case by virtue of the fact that avalidity information is stored together with the validation code.However, a checking procedure can also be advantageously be used withoutexplicit knowledge of the validation code. Thus, inter alia, specificproperties of the validation code can be used for checking, for exampleits checksum. The check code then only has to be checked for theseproperties, in the example the checksum.

In addition to the check code, instruction information is also extractedfrom the message in accordance with the first extraction rule. Only whenthere is successful checking by means of the validation code and checkcode is the instruction information passed on by the communicationsdevice 2 to the system 1 via the system interface 22 in order to beexecuted, if appropriate after previous processing. Here, a controldevice is preferably provided between the communications device 2 andsystem 1, the instruction information being transmitted to said controldevice and passed on from it to the system 1. If the checking was notsuccessful, the instruction information is ignored.

The first extraction rule is preferably configured in such a way thatthe check code and instruction information is extracted by cutting outparts of the message.

As is apparent from the previous explanations, one application of themethod according to the invention ensures that only a receiver of thecommunication, and thus of the validation code, is capable of issuinginstructions for remotely controlling and/or regulating the system 1. Inorder to do this, the receiver must firstly extract the validation codefrom the communication in accordance with a second extraction rule whichconstitutes a reversal of the first combination rule. From theinstructions which he intends to issue, he can generate a messagetogether with the validation code given knowledge of the firstextraction rule, from which the communications device 2 after havingreceived said message, extracts a check code, which check code leads tosuccessful checking of the message and thus to the extraction andimplementation of the instruction information. To do this, he must use asecond combination rule which ensures this.

In a further preferred embodiment of the method according to theinvention, dispatcher information is extracted from the message inaccordance with a third extraction rule. In the communications device 2,the dispatcher information is checked and the instruction information ispassed on from the communications device 2 to the system 1 and/orprocessed only in the case of successful dispatcher identification, i.e.correspondence between the dispatcher information and stored dispatcherdata of authorized users. The dispatcher information preferably containsa secret password or a secret code number. In this case, the operationis what is referred to as a strong user authentication, i.e. thedispatcher is authenticated as an authorized user by virtue of the factthat, on the one hand, he knows something—namely the password or codenumber—and, on the other hand, he possesses something—in the presentcase the receiver device 3 to which the communication was transmitted,or alternatively the communication which he has received with thereceiver device 3. Here, the receiver of the communication must add, inaccordance with a third combination rule, the dispatcher information toa message which he generates.

In one preferred embodiment of the method according to the invention,the validation code, check code and/or dispatcher information aretransmitted in encrypted form. To do this, the validation code and/ordispatcher information itself is preferably encrypted before it is addedto the communication or message in accordance with a first or thirdcombination rule. However, the entire communication and/or message canalso advantageously be encrypted. If the communications device 2receives an encrypted message, it must firstly be decrypted. If thecheck code or dispatcher information is present in an encrypted formafter extraction from the message, it is to be decrypted. If the messagecontains dispatcher information, the risk of manipulation byunauthorized persons is reduced further by encrypted transmissionbecause the dispatcher information cannot readily be acquired fromillegitimately monitored or intercepted messages. Even if code is to besubject to having a limited period of validity, encrypted transmissionis advantageous. In this case, validity information can be addeddirectly to the validation code, for example by appending. Manipulationof the validity information by the receiver is ruled out. Afterdecryption of the message or check code in the communications device 2,the validity information is available again in plain text. It is thusnot necessary to store the validity information.

In one preferred embodiment of the method according to the invention,the communication or the message is transmitted or received by means ofthe short message service (SMS) over a GSM or ISDN network.

In a further preferred embodiment of the method according to theinvention, the message is received via a public computer network,preferably the Internet.

The means such as communications device 2, network interface 21, systeminterface 22, receiver device 3 and control device which are used forcarrying out the method according to the invention in accordance withthe description above are to be understood as functional elements and donot necessarily need to be embodied as stand-alone physical units. Thus,the method can advantageously also be used to remotely control and/orregulate a system 1 in which the communications device and/or thecontrol device is integrated into the system 1. The communicationsdevice 2 can advantageously be integrated into an electronic computingsystem in which the control device is advantageously also implemented.The electronic computing system is advantageously also used as a dataprocessing system when data relating to the system is acquired andanalysed.

The method according to the invention can advantageously also be used inthe remote control and/or regulation of computer-based systems such as,for example, data processing systems, financial transaction systems ortrading systems.

The receiver of the communication will generally be a person. Thecommunication can in this case advantageously also be present in anaudible form and comprise, for example, a chronological sequence ofinformation and the validation code. However, it is also conceivable forthe receiver to be an electronic device which automatically generates amessage with suitable instruction information in response to thecommunication and transmits it back to the communications device 2.

List of Reference Numerals

-   1 System-   2 Communications device-   21 Network interface-   22 System interface-   3 Receiver device

1. A method for remotely controlling and/or regulating at least onesystem, in particular an industrial system, using a communication devicewhich is assigned to the system, wherein a communication is dispatchedby the communication device, the communication comprises informationrelating to the system and a validation code, and from a message whichthe communication device receives after the communication has beendispatched, a check code is extracted according to a first extractionrule and by means of the validation code and the check code it ischecked whether the message originates from a receiver of thecommunication, and only if the checking is successful, an instructioninformation according to the first extraction rule is extracted from themessage and is implemented by the system, wherein the validation codehas a limited period of validity, wherein a validity information isadded to the validation code.
 2. The method as claimed in claim 1,wherein the validity information is appended to or is prefixed to thevalidation code.
 3. The method as claimed in claim 1, wherein thevalidation code is valid once.
 4. The method as claimed in claim 1,wherein the validation code is generated by a random number generator.5. The method as claimed in claim 1, wherein the validation code istransmitted in encrypted form.
 6. The method as claimed in claim 1,wherein the validation code itself is encrypted before it is added inaccordance with a first combination rule to the communication ormessage.
 7. The method as claimed in claim 1, wherein the check code istransmitted in encrypted form.
 8. The method as claimed in claim 1,wherein by the receiver of the communication, a dispatcher informationis added to the message, which he generates, in accordance with a thirdcombination rule, the dispatcher information is extracted from themessage in accordance with a third extraction rule, by means of thedispatcher information and stored dispatcher data the dispatcher isidentified, only if the checking, as to whether the message originatesfrom a receiver of the communication, is successful and if theidentification of the dispatcher is successful, an instructioninformation is implemented by the system, after the check code anddispatcher information have been extracted from the message, and if thechecking and/or the identification of the dispatcher were/was notsuccessful, the instruction information is ignored.
 9. The method asclaimed in claim 8, wherein the dispatcher information contains a secretpassword or a secret identification number.
 10. The method as claimed inclaim 8, wherein the dispatcher information is transmitted in encryptedform.
 11. The method as claimed in claim 8, wherein the dispatcherinformation itself is encrypted before it is added to the message inaccordance with a third combination rule.
 12. The method as claimed inclaim 1, wherein the entire communication and/or message are encrypted.13. The method as claimed in claim 1, wherein the communication and/orthe message are dispatched and/or received by means of short messageservice.
 14. The method as claimed in claim 1, wherein the message isreceived via Internet.